Regression: OpenSSL initialisation in libdns broken after f3a0dac0
Summary
When using dig
, host
or nslookup
, the tools exit with an error right on start:
28-Mar-2024 14:52:40.027 error:03000096:digital envelope routines::operation not supported for this keytype:crypto/evp/pmeth_gn.c:354:
host: dst_lib_init: crypto failure
This error is related to configuring an engine section in openssl.cnf, it goes away when removing the engine from OpenSSL.
BIND version affected
I bisected this issue to
# first bad commit: [f3a0dac0573d21887ee0fa262b2c3a75466a538b] Check that we can verify a signature at initialisation time
Steps to reproduce
- Configure pkcs11 engine in
openssl.cnf
- run
dig
What is the current bug behavior?
dig
exits with the "crypto failure" error message mentioned above
What is the expected correct behavior?
dig
should succeed without error
Relevant configuration files
#openssl.cnf
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/host/lib/openssl-3/lib/engines-3/libpkcs11.so
MODULE_PATH = libykcs11.so
#init = 1